package org.openremote.container.security.keycloak;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import io.undertow.server.HttpHandler;
import io.undertow.server.handlers.ResponseCodeHandler;
import io.undertow.server.handlers.proxy.LoadBalancingProxyClient;
import io.undertow.server.handlers.proxy.ProxyHandler;
import io.undertow.servlet.api.DeploymentInfo;
import io.undertow.servlet.api.LoginConfig;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.core.UriBuilder;
import java.net.URI;
import java.security.Principal;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ConcurrentLinkedQueue;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.jboss.resteasy.client.jaxrs.ResteasyWebTarget;
import org.jboss.resteasy.client.jaxrs.internal.ResteasyClientBuilderImpl;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.admin.client.resource.RealmsResource;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.openremote.container.security.IdentityProvider;
import org.openremote.container.util.MapAccess;
import org.openremote.container.web.OAuthFilter;
import org.openremote.container.web.WebClient;
import org.openremote.container.web.WebService;
import org.openremote.container.web.WebTargetBuilder;
import org.openremote.model.Container;
import org.openremote.model.auth.OAuthGrant;
import org.openremote.model.auth.OAuthPasswordGrant;
import org.openremote.model.util.TextUtil;

/* loaded from: input_file:org/openremote/container/security/keycloak/KeycloakIdentityProvider.class */
public abstract class KeycloakIdentityProvider implements IdentityProvider {
    public static final String OR_KEYCLOAK_HOST = "OR_KEYCLOAK_HOST";
    public static final String OR_KEYCLOAK_HOST_DEFAULT = "127.0.0.1";
    public static final String OR_KEYCLOAK_PORT = "OR_KEYCLOAK_PORT";
    public static final int OR_KEYCLOAK_PORT_DEFAULT = 8081;
    public static final String OR_KEYCLOAK_PATH = "OR_KEYCLOAK_PATH";
    public static final String OR_KEYCLOAK_PATH_DEFAULT = "auth";
    public static final String KEYCLOAK_CONNECT_TIMEOUT = "KEYCLOAK_CONNECT_TIMEOUT";
    public static final int KEYCLOAK_CONNECT_TIMEOUT_DEFAULT = 2000;
    public static final String KEYCLOAK_REQUEST_TIMEOUT = "KEYCLOAK_REQUEST_TIMEOUT";
    public static final int KEYCLOAK_REQUEST_TIMEOUT_DEFAULT = 10000;
    public static final String KEYCLOAK_CLIENT_POOL_SIZE = "KEYCLOAK_CLIENT_POOL_SIZE";
    public static final int KEYCLOAK_CLIENT_POOL_SIZE_DEFAULT = 20;
    public static final String OR_IDENTITY_SESSION_MAX_MINUTES = "OR_IDENTITY_SESSION_MAX_MINUTES";
    public static final int OR_IDENTITY_SESSION_MAX_MINUTES_DEFAULT = 1440;
    public static final String OR_IDENTITY_SESSION_OFFLINE_TIMEOUT_MINUTES = "OR_IDENTITY_SESSION_OFFLINE_TIMEOUT_MINUTES";
    public static final int OR_IDENTITY_SESSION_OFFLINE_TIMEOUT_MINUTES_DEFAULT = 2628000;
    protected UriBuilder keycloakServiceUri;
    protected int sessionTimeoutSeconds;
    protected int sessionMaxSeconds;
    protected int sessionOfflineTimeoutSeconds;
    protected ResteasyClient httpClient;
    protected ResteasyWebTarget keycloakTarget;
    protected OAuthGrant oAuthGrant;
    protected LoadingCache<KeycloakRealmClient, KeycloakDeployment> keycloakDeploymentCache;
    protected KeycloakConfigResolver keycloakConfigResolver;
    protected HttpHandler authProxyHandler;
    public static final String ADMIN_CLI_CLIENT_ID = "admin-cli";
    public static final List<String> DEFAULT_CLIENTS = Arrays.asList("account", "account-console", ADMIN_CLI_CLIENT_ID, "broker", "master-realm", "security-admin-console");
    private static final Logger LOG = Logger.getLogger(KeycloakIdentityProvider.class.getName());
    protected final KeycloakDeployment notAuthenticatedKeycloakDeployment = new KeycloakDeployment();
    protected ConcurrentLinkedQueue<RealmsResource> realmsResourcePool = new ConcurrentLinkedQueue<>();

    protected KeycloakIdentityProvider() {
    }

    public OAuthPasswordGrant getDefaultKeycloakGrant(Container container) {
        return new OAuthPasswordGrant(getTokenUri("master").toString(), ADMIN_CLI_CLIENT_ID, (String) null, "openid", "admin", (String) container.getConfig().getOrDefault(IdentityProvider.OR_ADMIN_PASSWORD, IdentityProvider.OR_ADMIN_PASSWORD_DEFAULT));
    }

    @Override // org.openremote.container.security.IdentityProvider
    public void init(Container container) {
        if (this.httpClient != null) {
            return;
        }
        this.sessionMaxSeconds = MapAccess.getInteger(container.getConfig(), OR_IDENTITY_SESSION_MAX_MINUTES, OR_IDENTITY_SESSION_MAX_MINUTES_DEFAULT) * 60;
        if (this.sessionMaxSeconds < 60) {
            throw new IllegalArgumentException("OR_IDENTITY_SESSION_MAX_MINUTES must be more than 1 minute");
        }
        this.sessionTimeoutSeconds = this.sessionMaxSeconds;
        this.sessionOfflineTimeoutSeconds = MapAccess.getInteger(container.getConfig(), OR_IDENTITY_SESSION_OFFLINE_TIMEOUT_MINUTES, OR_IDENTITY_SESSION_OFFLINE_TIMEOUT_MINUTES_DEFAULT) * 60;
        if (this.sessionOfflineTimeoutSeconds < 60) {
            throw new IllegalArgumentException("OR_IDENTITY_SESSION_OFFLINE_TIMEOUT_MINUTES must be more than 1 minute");
        }
        this.keycloakServiceUri = UriBuilder.fromPath("/").scheme("http").host(MapAccess.getString(container.getConfig(), OR_KEYCLOAK_HOST, OR_KEYCLOAK_HOST_DEFAULT)).port(MapAccess.getInteger(container.getConfig(), OR_KEYCLOAK_PORT, OR_KEYCLOAK_PORT_DEFAULT));
        String string = MapAccess.getString(container.getConfig(), OR_KEYCLOAK_PATH, OR_KEYCLOAK_PATH_DEFAULT);
        if (!TextUtil.isNullOrEmpty(string)) {
            this.keycloakServiceUri.path(string);
        }
        LOG.info("Keycloak service URL: " + this.keycloakServiceUri.build(new Object[0]));
        this.httpClient = WebClient.registerDefaults(new ResteasyClientBuilderImpl().connectTimeout(MapAccess.getInteger(container.getConfig(), KEYCLOAK_CONNECT_TIMEOUT, KEYCLOAK_CONNECT_TIMEOUT_DEFAULT), TimeUnit.MILLISECONDS).readTimeout(MapAccess.getInteger(container.getConfig(), KEYCLOAK_REQUEST_TIMEOUT, KEYCLOAK_REQUEST_TIMEOUT_DEFAULT), TimeUnit.MILLISECONDS).connectionPoolSize(MapAccess.getInteger(container.getConfig(), KEYCLOAK_CLIENT_POOL_SIZE, 20))).build();
        this.keycloakDeploymentCache = createKeycloakDeploymentCache();
        this.keycloakConfigResolver = request -> {
            String header = request.getHeader("Realm");
            if (header == null || header.length() == 0) {
                LOG.finest("No realm in request, no authentication will be attempted: " + request.getURI());
                return this.notAuthenticatedKeycloakDeployment;
            }
            KeycloakDeployment keycloakDeployment = getKeycloakDeployment(header, "openremote");
            if (keycloakDeployment != null) {
                return keycloakDeployment;
            }
            LOG.fine("No Keycloak deployment available for realm, no authentication will be attempted: " + request.getURI());
            return this.notAuthenticatedKeycloakDeployment;
        };
        if (container.isDevMode()) {
            this.authProxyHandler = ProxyHandler.builder().setProxyClient(new LoadBalancingProxyClient().addHost(this.keycloakServiceUri.clone().replacePath("").build(new Object[0]))).setMaxRequestTime(MapAccess.getInteger(container.getConfig(), KEYCLOAK_REQUEST_TIMEOUT, KEYCLOAK_REQUEST_TIMEOUT_DEFAULT)).setNext(ResponseCodeHandler.HANDLE_404).setReuseXForwarded(true).build();
        }
    }

    @Override // org.openremote.container.security.IdentityProvider
    public void start(Container container) {
        OAuthPasswordGrant defaultKeycloakGrant;
        OAuthGrant storedCredentials = getStoredCredentials(container);
        if (storedCredentials != null) {
            LOG.info("Found stored credentials so attempting to use them");
            if (setActiveCredentials(storedCredentials)) {
                defaultKeycloakGrant = null;
            } else {
                LOG.warning("Stored keycloak credentials are not valid, falling back to admin user using OR_ADMIN_PASSWORD");
                defaultKeycloakGrant = getDefaultKeycloakGrant(container);
            }
        } else {
            LOG.info("No stored credentials so using OR_ADMIN_PASSWORD");
            defaultKeycloakGrant = getDefaultKeycloakGrant(container);
        }
        if (defaultKeycloakGrant != null) {
            if (!setActiveCredentials(defaultKeycloakGrant)) {
                LOG.warning("Credentials don't work so cannot continue");
                throw new RuntimeException("Credentials don't work so cannot continue");
            }
            LOG.info("OR_ADMIN_PASSWORD credentials are valid so creating/recreating stored credentials");
            OAuthGrant generateStoredCredentials = generateStoredCredentials(container);
            if (generateStoredCredentials == null) {
                LOG.info("Failed to generate stored credentials will continue using OR_ADMIN_PASSWORD");
                return;
            }
            LOG.info("Stored credentials successfully generated so using them");
            if (setActiveCredentials(generateStoredCredentials)) {
                return;
            }
            LOG.warning("Something went wrong trying to use the new stored credentials, cannot proceed");
            throw new RuntimeException("Something went wrong trying to use the new stored credentials, cannot proceed");
        }
    }

    @Override // org.openremote.container.security.IdentityProvider
    public void stop(Container container) {
        if (this.httpClient != null) {
            this.httpClient.close();
        }
    }

    @Override // org.openremote.container.security.IdentityProvider
    public void secureDeployment(DeploymentInfo deploymentInfo) {
        deploymentInfo.setLoginConfig(new LoginConfig(SimpleKeycloakServletExtension.AUTH_MECHANISM, "OpenRemote"));
        deploymentInfo.addServletExtension(new SimpleKeycloakServletExtension(this.keycloakConfigResolver));
    }

    public KeycloakResource getKeycloak() {
        return (KeycloakResource) this.keycloakTarget.proxy(KeycloakResource.class);
    }

    protected void syncUsers(String str, String str2, String str3) {
        getRealms(realmsResource -> {
            realmsResource.realm(str2).userStorage().syncUsers(str, str3);
            return null;
        });
    }

    public final synchronized <T> T getRealms(Function<RealmsResource, T> function) {
        ResteasyWebTarget resteasyWebTarget = this.keycloakTarget;
        RealmsResource poll = this.realmsResourcePool.poll();
        RealmsResource realmsResource = poll;
        if (poll == null) {
            realmsResource = (RealmsResource) this.keycloakTarget.proxy(RealmsResource.class);
        }
        try {
            T apply = function.apply(realmsResource);
            if (resteasyWebTarget == this.keycloakTarget) {
                this.realmsResourcePool.offer(realmsResource);
            }
            return apply;
        } catch (Throwable th) {
            if (resteasyWebTarget == this.keycloakTarget) {
                this.realmsResourcePool.offer(realmsResource);
            }
            throw th;
        }
    }

    public synchronized KeycloakDeployment getKeycloakDeployment(String str, String str2) {
        if (str == null || str2 == null) {
            return null;
        }
        try {
            return (KeycloakDeployment) this.keycloakDeploymentCache.get(new KeycloakRealmClient(str, str2));
        } catch (Exception e) {
            if (e.getCause() == null || !(e.getCause() instanceof NotFoundException)) {
                LOG.log(Level.WARNING, "Error loading client '" + str2 + "' for realm '" + str + "' from identity provider, exception from call to identity provider follows", (Throwable) e);
                return null;
            }
            LOG.fine("Client '" + str2 + "' for realm '" + str + "' not found on identity provider");
            return null;
        }
    }

    public URI getTokenUri(String str) {
        return this.keycloakServiceUri.clone().path("realms").path(str).path("protocol/openid-connect/token").build(new Object[0]);
    }

    public Supplier<String> getAccessTokenSupplier(OAuthGrant oAuthGrant) {
        OAuthFilter oAuthFilter = new OAuthFilter(this.httpClient, oAuthGrant);
        return () -> {
            try {
                return oAuthFilter.getAccessToken();
            } catch (Exception e) {
                LOG.log(Level.INFO, "Failed to get OAuth access token using grant: " + oAuthGrant, (Throwable) e);
                return null;
            }
        };
    }

    public synchronized boolean setActiveCredentials(OAuthGrant oAuthGrant) {
        if (Objects.equals(this.oAuthGrant, oAuthGrant)) {
            return true;
        }
        this.oAuthGrant = oAuthGrant;
        if (oAuthGrant != null) {
            oAuthGrant.setTokenEndpointUri(getTokenUri("master").toString());
        }
        URI build = this.keycloakServiceUri.build(new Object[0]);
        this.keycloakTarget = new WebTargetBuilder(this.httpClient, build).setOAuthAuthentication(oAuthGrant).build();
        this.realmsResourcePool.clear();
        LOG.info("Keycloak proxy URI set to: " + build);
        LOG.info("Validating keycloak credentials");
        try {
            getRealms(realmsResource -> {
                realmsResource.realm("master").toRepresentation();
                LOG.info("Credentials are valid");
                return null;
            });
            return true;
        } catch (Exception e) {
            LOG.info("Credentials are invalid");
            return false;
        }
    }

    protected abstract OAuthGrant getStoredCredentials(Container container);

    protected abstract OAuthGrant generateStoredCredentials(Container container);

    protected LoadingCache<KeycloakRealmClient, KeycloakDeployment> createKeycloakDeploymentCache() {
        return CacheBuilder.newBuilder().maximumSize(500L).expireAfterWrite(10L, TimeUnit.MINUTES).build(new CacheLoader<KeycloakRealmClient, KeycloakDeployment>() { // from class: org.openremote.container.security.keycloak.KeycloakIdentityProvider.1
            public KeycloakDeployment load(KeycloakRealmClient keycloakRealmClient) {
                KeycloakIdentityProvider.LOG.finest("Loading adapter config for client '" + keycloakRealmClient.clientId + "' in realm '" + keycloakRealmClient.realm + "'");
                AdapterConfig adapterConfig = ((KeycloakResource) WebClient.getTarget(KeycloakIdentityProvider.this.httpClient, KeycloakIdentityProvider.this.keycloakServiceUri.build(new Object[0]), null, null, null).proxy(KeycloakResource.class)).getAdapterConfig(keycloakRealmClient.realm, "openremote");
                adapterConfig.setAuthServerUrl(KeycloakIdentityProvider.this.keycloakServiceUri.clone().build(new Object[0]).toString());
                adapterConfig.setPrincipalAttribute("preferred_username");
                return KeycloakDeploymentBuilder.build(adapterConfig);
            }
        });
    }

    protected void enableAuthProxy(WebService webService, String str) {
        if (this.authProxyHandler == null) {
            throw new IllegalStateException("Initialize this service first");
        }
        LOG.info("Enabling auth reverse proxy (passing requests through to Keycloak) on web context: /" + str);
        webService.getRequestHandlers().add(0, WebService.pathStartsWithHandler("Keycloak auth proxy", "/" + str, this.authProxyHandler));
    }

    protected abstract void addClientRedirectUris(String str, List<String> list, boolean z);

    public static KeycloakSecurityContext getSecurityContext(Subject subject) {
        if (subject == null || subject.getPrincipals() == null) {
            return null;
        }
        return (KeycloakSecurityContext) subject.getPrincipals().stream().filter(principal -> {
            return principal instanceof KeycloakPrincipal;
        }).findFirst().map(principal2 -> {
            return ((KeycloakPrincipal) principal2).getKeycloakSecurityContext();
        }).orElse(null);
    }

    public static String getSubjectName(Subject subject) {
        if (subject == null || subject.getPrincipals() == null) {
            return null;
        }
        return (String) subject.getPrincipals().stream().filter(principal -> {
            return principal instanceof KeycloakPrincipal;
        }).findFirst().map((v0) -> {
            return v0.getName();
        }).orElse(null);
    }

    public static String getSubjectName(Principal principal) {
        return (String) Optional.ofNullable(principal).map((v0) -> {
            return v0.getName();
        }).orElse(null);
    }

    public static String getSubjectNameAndRealm(Principal principal) {
        return (String) Optional.ofNullable(principal).map(principal2 -> {
            return principal2 instanceof KeycloakPrincipal ? ((KeycloakPrincipal) principal2).getKeycloakSecurityContext().getRealm() + ":" + principal2.getName() : principal2.getName();
        }).orElse(null);
    }

    public static String getSubjectNameAndRealm(Subject subject) {
        if (subject == null || subject.getPrincipals() == null) {
            return null;
        }
        return (String) subject.getPrincipals().stream().filter(principal -> {
            return principal instanceof KeycloakPrincipal;
        }).findFirst().map(principal2 -> {
            return ((KeycloakPrincipal) principal2).getKeycloakSecurityContext().getRealm() + ":" + principal2.getName();
        }).orElse(null);
    }

    public static String getSubjectId(Subject subject) {
        if (subject == null || subject.getPrincipals() == null) {
            return null;
        }
        return (String) Optional.ofNullable(getSecurityContext(subject)).map((v0) -> {
            return v0.getToken();
        }).map((v0) -> {
            return v0.getSubject();
        }).orElse(null);
    }

    public static boolean isSuperUser(KeycloakSecurityContext keycloakSecurityContext) {
        return keycloakSecurityContext != null && "master".equals(keycloakSecurityContext.getRealm()) && keycloakSecurityContext.getToken().getRealmAccess().isUserInRole("admin");
    }
}
